Re: IRC, IM Proxy Implementations

[Mark Wilson <wilsodm () AUBURN EDU>]

Ok, I did as suggested and used the -sV and --packet-trace options and
scanned all 65535 ports w/ Nmap 3.5
Very, very verbose:
Interesting ports on 131.204.x.x:
(The 65525 ports scanned but not shown below are in state: closed)
PORT     STATE SERVICE       VERSION
113/tcp  open  auth?
135/tcp  open  msrpc         Microsoft Windows msrpc
139/tcp  open  netbios-ssn
389/tcp  open  ldap?
445/tcp  open  microsoft-ds  Microsoft Windows XP microsoft-ds
1002/tcp open  windows-icfw?
1025/tcp open  mstask        Microsoft mstask (task server -
c:\winnt\system32\Mstask.exe)
1720/tcp open  microsoft-rdp Microsoft Terminal Service (Used with
Netmeeting, Remote Desktop, Remote Assistance)
3008/tcp open  unknown
3009/tcp open  unknown

Also,  NSOCK READ SUCCESS output from the scan:
NSOCK (101.7600s) Callback: READ SUCCESS for EID 106 [131.204.x.x:113]
(30 bytes): 5748, 80 : USERID : UNIX : p..
NSOCK (106.7580s) Callback: READ SUCCESS for EID 210 [131.204.x.x:139]
[EOF](5 bytes): .....
NSOCK (106.7590s) Callback: READ SUCCESS for EID 194 [131.204.x.x:135]
(24 bytes): ...............@........
NSOCK (106.7600s) Callback: READ SUCCESS for EID 226 [131.204.x.x:445]
(115 bytes)
NSOCK (126.7820s) Callback: READ SUCCESS for EID 450 [131.204.x.x:1720]
(23 bytes): ........Z~....@....J..X
NSOCK (126.7850s) Callback: READ SUCCESS for EID 530 [131.204.x.x:1720]
(23 bytes): ........Z~....@....J..X
NSOCK (126.7870s) Callback: READ SUCCESS for EID 562 [131.204.x.x:1720]
(23 bytes): ........Z~....@....J..X
NSOCK (131.7900s) Callback: READ SUCCESS for EID 642 [131.204.x.x:1720]
(23 bytes): ........Z~....@....J..X
NSOCK (131.8300s) Callback: READ SUCCESS for EID 674 [131.204.x.x:1720]
(23 bytes): ........Z~....@....J..X
NSOCK (141.7790s) Callback: READ SUCCESS for EID 778 [131.204.x.x:1025]
(24 bytes): ...............@......-.
NSOCK (151.8350s) Callback: READ SUCCESS for EID 850 [131.204.x.x:1720]
(23 bytes): ........Z~....@....J..X



Mark Wilson
GCIA, CISSP #53153
Network Security Specialist
Auburn University
(334) 844-9347

> > > flynngn () JMU EDU 9/8/2004 12:41:43 PM >>>
Mark Wilson wrote:

> I assume you mean lower case v (-v).  Anyway, here it is:
> [root@willma root]# nmap -v -p 1-65535 131.204.x.x

Nope. Upper case V. In nmap 3.5 and later, the -V option
performs a variety of things to attempt to identify the
service listening on open ports that are found. If it
doesn't recognize the service, it prints a fingerprint
that can be submitted to the developer along with
information about the service so it will be included
in the next version (at least it did in 3.5, I just tried
to produce it in 3.55 and it didn't print the unknown
fingerprint).

It would seem to be a very useful tool for malware detection
and identification if we could update the signature database
rapidly. That is why I was wondering if you'd tried it on
the malware services listening on the auth port.

Output looks like this:

PORT      STATE SERVICE VERSION
21/tcp    open  ftp     NcFTPd
22/tcp    open  ssh     OpenSSH 3.6.1p2 (protocol 2.0)
80/tcp    open  http    Apache httpd 2.0.49 ((Unix))
111/tcp   open  rpcbind 2 (rpc #100000)
199/tcp   open  smux    Linux SNMP multiplexer
7937/tcp  open  nsrexec 1 (rpc #390113)
32768/tcp open  status  1 (rpc #100024)


PORT     STATE SERVICE         VERSION
80/tcp   open  http            Microsoft IIS webserver 6.0
135/tcp  open  msrpc           Microsoft Windows msrpc
139/tcp  open  netbios-ssn
443/tcp  open  https?
445/tcp  open  microsoft-ds    Microsoft Windows 2003 microsoft-ds
1025/tcp open  msrpc           Microsoft Windows msrpc
1026/tcp open  msrpc           Microsoft Windows msrpc
1037/tcp open  msrpc           Microsoft Windows msrpc
1055/tcp open  unknown
1311/tcp open  securetransport Tumbleweed SecureTransport Transaction
Manager Secure Port
3389/tcp open  microsoft-rdp   Microsoft Terminal Service (Windows
2000
Server)
5881/tcp open  vnc-http        WinVNC (Server: XXXX; Resolution
1024x800; VNC TCP port: 5981; May be standard or TightVNC)
5981/tcp open  vnc             VNC (protocol 3.3)
6288/tcp open  http            Microsoft IIS webserver 6.0
8000/tcp open  http-alt?
8009/tcp open  ajp13?
8080/tcp open  http            Apache Tomcat/Coyote JSP engine 1.0
8443/tcp open  msdtc           Microsoft Distributed Transaction
Coordinator

And on the auth port: (I'd better check these now)

113/open/tcp//ident//Internet Rex identd/
113/open/tcp//ident//Internet Rex identd/
113/open/tcp//auth?///
113/open/tcp//auth?///
113/open/tcp//auth?///
113/open/tcp//ident//Internet Rex identd/
113/open/tcp//auth?///
113/open/tcp//auth?///
113/open/tcp//auth?///
113/open/tcp//ident//Liedentd (Claimed user: XXXX)/
113/open/tcp//ident//Internet Rex identd/
113/open/tcp//ident//Internet Rex identd/
113/open/tcp//ident//OpenBSD identd/

Again, it didn't print the signature when the service
was unknown as I expected it to and as it did in 3.5.
Maybe its an option on 3.55.


--
Gary Flynn
Security Engineer
James Madison University

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.

Attachment: Mark Wilson.vcf
Description: